Source Code for BankBot Android Trojan Leaks Online

The source code of Android banking Trojan BankBot, along with instructions on how to use it, recently emerged on a hacker forum, Doctor Web security researchers have discovered.

The source code was published about a month ago, but Android malware based on the code was spotted last week. Once the malware gets admin privileges on an infected device, it removes its shortcut from the homescreen to hide itself and hinder removal. Next, it connects to a command and control (C&C) server to retrieve instructions.

The BankBotTrojan is distributed masquerading as benign applications. On the infected devices, it can request administrative privileges to display phishing pages to steal login credentials, intercept and send SMS messages, send USSD requests, retrieve contacts list, track the device, make calls, and receive an executable file containing a list of banking apps to attack.

Malicious programs that provide such capabilities are usually being sold as commercial products on underground forums. However, with the source code of this application leaked online, chances are that the number of attacks involving Android banking Trojans will register a significant increase soon, Dr.Web suggests.

The malware can track the launch of banking applications on the user’s device and overlay phishing dialogues to trick users into revealing their login information. The malware is targeting over three dozen such financial applications, including banking and payment system software.

The security researchers have discovered that the malware can also steal bank card information. For that, the Trojan tracks the launch of multiple popular applications on the device, including Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, and Play Store, to display a phishing dialog on top of them, tricking users into believing it is a Google Play purchase page.

“Information on found matches is sent to the C&C server. The Trojan receives a list of files to be monitored from execution. After one of them is launched, Android.BankBot.149.origin displays WebView on top of the attacked application with a fraudulent authentication form to access the user account. Then the entered information is sent to the server,” Dr.Web says.

BankBot was also designed to steal SMS messages. When an SMS arrives, the malware turns off sounds and vibrations and sends the content of the message to the cybercriminals, while also attempting to delete the original entry from the list of incoming SMS. This would result in users missing bank notifications about unplanned transactions that cybercriminals are performing.

Data stolen from the device, which includes information on the anti-virus applications installed on the infected device, is uploaded to the C&C server, making it accessible to the cybercriminals. What’s more, the security researchers say, an administration panel provides operators with control over the malicious app.

“In general, the possibilities of this Trojan are quite standard for modern Android bankers. However, as cybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it will appear,” Doctor Web’s security researchers conclude.

“Dumping malware code is great way to allow others to contribute to the code and modify it to help evade detection. This tactic was very successful for distributing Zeus. When you have a larger group modifying the code, the number of variants increases rapidly, making it very hard for security products that rely on pattern matching to detect it,” Lamar Bailey, Senior Director of Security R&D for Tripwire, told SecurityWeek in an emailed comment.